[strongSwan] Max OSX client

Claude Tompers claude.tompers at restena.lu
Fri Mar 27 16:27:01 CET 2020

Hi Tobias,

Thanks for your help to clean up my config. Everything works fine now. I
had to disable reauth and use rekey only.
It seems that after IKE_SA expiration, OSX can not access the client
certificate properly anymore to reauthenticate.

Have a nice weekend.

On 27/03/2020 07:38, Claude Tompers wrote:
> Hello Tobias,
> Thanks a lot for you remarks. I will review the config.
> kind regards,
> Claude
> On 26/03/2020 17:11, Tobias Brunner wrote:
>> Hi Claude,
>>> Before diving deeper into logs etc. Do these connection settings look
>>> good to you ? Thinking of all sorts of timers.
>> There is lots of questionable stuff in that config.
>>>>>         ikelifetime=60m
>> That's quite low, in particular since you didn't change margintime and
>> rekeyfuzz (see [1] for what that means exactly).
>>>>>         dpdaction=restart
>> That doesn't make much sense on a responder as it's unlikely it can
>> reach the client to reestablish the connection if it failed to
>> retransmit a message several times.
>>>>>         dpddelay=60s
>> That's relatively low for mobile clients that might not be reachable for
>> a while.  If you do that, consider changing the retransmission settings
>> so clients can be offline for a while [2].
>>>>>         dpdtimeout=300s
>> Has no effect on IKEv2 SAs.
>>>>>         keyingtries=5
>> Same as dpdaction, makes not much sense on a responder for mobile clients.
>>>>>         inactivity=4h
>> This only makes sense if trap policies are used, otherwise no CHILD_SA
>> will exist after that (unless the client will reestablish the complete
>> connection immediately if the server terminates the CHILD_SA
>> unexpectedly, but what would the benefit be of that?).
>>>>>         lifetime=4h
>> Why did you set that longer than the IKE_SA lifetime?  Also, refer to
>> [1] for details.
>>>>>         reauth=yes
>> Consider reading up on reauthentication (especially in regards to IKEv2
>> responders) on [1].
>>>>>         mobike=no
>> Why would you disable MOBIKE on a connection for mobile roadwarriors?
>> It's exactly the use case this extension was designed for.
>> Regards,
>> Tobias
>> [1] https://wiki.strongswan.org/projects/strongswan/wiki/ExpiryRekey
>> [2] https://wiki.strongswan.org/projects/strongswan/wiki/Retransmission

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 236 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strongswan.org/pipermail/users/attachments/20200327/ab00f2e1/attachment.sig>

More information about the Users mailing list